@node9/proxy 1.0.4 → 1.0.6

package/README.md

@@ -16,11 +16,7 @@ While others try to _guess_ if a prompt is malicious (Semantic Security), Node9
 **AIs are literal.** When you ask an agent to "Fix my disk space," it might decide to run `docker system prune -af`.
 
 <p align="center">
-<<<<<<< dev
-  <img src="https://github.com/user-attachments/assets/afae9caa-0605-4cac-929a-c14198383169" width="100%">
-=======
   <img src="https://github.com/user-attachments/assets/0e45e843-4cf7-408e-95ce-23fb09525ee4" width="100%">
->>>>>>> main
 </p>
 
 **With Node9, the interaction looks like this:**
@@ -79,6 +75,8 @@ Revert to this snapshot? [y/N]
 
 Node9 keeps the last 10 snapshots. Snapshots are only taken for file-writing tools (`write_file`, `edit_file`, `str_replace_based_edit_tool`, `create_file`) — not for read-only or shell commands.
 
+Node9 keeps the last 10 snapshots. Snapshots are only taken for file-writing tools (`write_file`, `edit_file`, `str_replace_based_edit_tool`, `create_file`) — not for read-only or shell commands.
+
 ### 🌊 The Resolution Waterfall
 
 Security posture is resolved using a strict 5-tier waterfall:
@@ -97,13 +95,17 @@ Security posture is resolved using a strict 5-tier waterfall:
 npm install -g @node9/proxy
 
 # 1. Setup protection for your favorite agent
-node9 addto claude
+node9 setup           # interactive menu — picks the right agent for you
+node9 addto claude    # or wire directly
 node9 addto gemini
 
 # 2. Initialize your local safety net
 node9 init
 
-# 3. Check your status
+# 3. Verify everything is wired correctly
+node9 doctor
+
+# 4. Check your status
 node9 status
 ```
 
@@ -128,6 +130,7 @@ Rules are **merged additive**—you cannot "un-danger" a word locally if it was
   "settings": {
     "mode": "standard",
     "enableUndo": true,
+    "approvalTimeoutMs": 30000,
     "approvers": {
       "native": true,
       "browser": true,
@@ -142,13 +145,211 @@ Rules are **merged additive**—you cannot "un-danger" a word locally if it was
     "toolInspection": {
       "bash": "command",
       "postgres:query": "sql"
-    }
+    },
+    "rules": [
+      { "action": "rm", "allowPaths": ["**/node_modules/**", "dist/**"] },
+      { "action": "push", "blockPaths": ["**"] }
+    ],
+    "smartRules": [
+      {
+        "name": "no-delete-without-where",
+        "tool": "*",
+        "conditions": [
+          { "field": "sql", "op": "matches", "value": "^(DELETE|UPDATE)\\s", "flags": "i" },
+          { "field": "sql", "op": "notMatches", "value": "\\bWHERE\\b", "flags": "i" }
+        ],
+        "verdict": "review",
+        "reason": "DELETE/UPDATE without WHERE — would affect every row"
+      }
+    ]
   }
 }
 ```
 
+### ⚙️ `settings` options
+
+| Key                  | Default      | Description                                                  |
+| :------------------- | :----------- | :----------------------------------------------------------- |
+| `mode`               | `"standard"` | `standard` \| `strict` \| `audit`                            |
+| `enableUndo`         | `true`       | Take git snapshots before every AI file edit                 |
+| `approvalTimeoutMs`  | `0`          | Auto-deny after N ms if no human responds (0 = wait forever) |
+| `approvers.native`   | `true`       | OS-native popup                                              |
+| `approvers.browser`  | `true`       | Browser dashboard (`node9 daemon`)                           |
+| `approvers.cloud`    | `true`       | Slack / SaaS approval                                        |
+| `approvers.terminal` | `true`       | `[Y/n]` prompt in terminal                                   |
+
+### 🧠 Smart Rules
+
+Smart rules match on **raw tool arguments** using structured conditions — more powerful than `dangerousWords` or `rules`, which only see extracted tokens.
+
+```json
+{
+  "name": "curl-pipe-to-shell",
+  "tool": "bash",
+  "conditions": [{ "field": "command", "op": "matches", "value": "curl.+\\|.*(bash|sh)" }],
+  "verdict": "block",
+  "reason": "curl piped to shell — remote code execution risk"
+}
+```
+
+**Fields:**
+
+| Field           | Description                                                                          |
+| :-------------- | :----------------------------------------------------------------------------------- |
+| `tool`          | Tool name or glob (`"bash"`, `"mcp__postgres__*"`, `"*"`)                            |
+| `conditions`    | Array of conditions evaluated against the raw args object                            |
+| `conditionMode` | `"all"` (AND, default) or `"any"` (OR)                                               |
+| `verdict`       | `"review"` (approval prompt) \| `"block"` (hard deny) \| `"allow"` (skip all checks) |
+| `reason`        | Human-readable explanation shown in the approval prompt and audit log                |
+
+**Condition operators:**
+
+| `op`          | Meaning                                                             |
+| :------------ | :------------------------------------------------------------------ |
+| `matches`     | Field value matches regex (`value` = pattern, `flags` = e.g. `"i"`) |
+| `notMatches`  | Field value does not match regex                                    |
+| `contains`    | Field value contains substring                                      |
+| `notContains` | Field value does not contain substring                              |
+| `exists`      | Field is present and non-empty                                      |
+| `notExists`   | Field is absent or empty                                            |
+
+The `field` key supports dot-notation for nested args: `"params.query.sql"`.
+
+**Built-in default smart rule** (always active, no config needed):
+
+```json
+{
+  "name": "no-delete-without-where",
+  "tool": "*",
+  "conditions": [
+    { "field": "sql", "op": "matches", "value": "^(DELETE|UPDATE)\\s", "flags": "i" },
+    { "field": "sql", "op": "notMatches", "value": "\\bWHERE\\b", "flags": "i" }
+  ],
+  "verdict": "review",
+  "reason": "DELETE/UPDATE without WHERE clause — would affect every row in the table"
+}
+```
+
+Use `node9 explain <tool> <args>` to dry-run any tool call and see exactly which smart rule (or other policy tier) would trigger.
+
 ---
 
+## 🖥️ CLI Reference
+
+| Command                       | Description                                                                           |
+| :---------------------------- | :------------------------------------------------------------------------------------ |
+| `node9 setup`                 | Interactive menu — detects installed agents and wires hooks for you                   |
+| `node9 addto <agent>`         | Wire hooks for a specific agent (`claude`, `gemini`, `cursor`)                        |
+| `node9 init`                  | Create default `~/.node9/config.json`                                                 |
+| `node9 status`                | Show current protection status and active rules                                       |
+| `node9 doctor`                | Health check — verifies binaries, config, credentials, and all agent hooks            |
+| `node9 explain <tool> [args]` | Trace the policy waterfall for a given tool call (dry-run, no approval prompt)        |
+| `node9 undo [--steps N]`      | Revert the last N AI file edits using shadow Git snapshots                            |
+| `node9 check`                 | Called by agent hooks; evaluates a pending tool call and exits 0 (allow) or 1 (block) |
+
+### `node9 doctor`
+
+Runs a full self-test and exits 1 if any required check fails:
+
+```
+Node9 Doctor  v1.2.0
+────────────────────────────────────────
+Binaries
+  ✅  Node.js v20.11.0
+  ✅  git version 2.43.0
+
+Configuration
+  ✅  ~/.node9/config.json found and valid
+  ✅  ~/.node9/credentials.json — cloud credentials found
+
+Agent Hooks
+  ✅  Claude Code — PreToolUse hook active
+  ⚠️  Gemini CLI — not configured (optional)
+  ⚠️  Cursor — not configured (optional)
+
+────────────────────────────────────────
+All checks passed ✅
+```
+
+### `node9 explain`
+
+Dry-runs the policy engine and prints exactly which rule (or waterfall tier) would block or allow a given tool call — useful for debugging your config:
+
+```bash
+node9 explain bash '{"command":"rm -rf /tmp/build"}'
+```
+
+```
+Policy Waterfall for: bash
+──────────────────────────────────────────────
+Tier 1 · Cloud Org Policy       SKIP  (no org policy loaded)
+Tier 2 · Dangerous Words        BLOCK ← matched "rm -rf"
+Tier 3 · Path Block             –
+Tier 4 · Inline Exec            –
+Tier 5 · Rule Match             –
+──────────────────────────────────────────────
+Verdict: BLOCK  (dangerous word: rm -rf)
+```
+
+---
+
+## 🖥️ CLI Reference
+
+| Command                       | Description                                                                           |
+| :---------------------------- | :------------------------------------------------------------------------------------ |
+| `node9 setup`                 | Interactive menu — detects installed agents and wires hooks for you                   |
+| `node9 addto <agent>`         | Wire hooks for a specific agent (`claude`, `gemini`, `cursor`)                        |
+| `node9 init`                  | Create default `~/.node9/config.json`                                                 |
+| `node9 status`                | Show current protection status and active rules                                       |
+| `node9 doctor`                | Health check — verifies binaries, config, credentials, and all agent hooks            |
+| `node9 explain <tool> [args]` | Trace the policy waterfall for a given tool call (dry-run, no approval prompt)        |
+| `node9 undo [--steps N]`      | Revert the last N AI file edits using shadow Git snapshots                            |
+| `node9 check`                 | Called by agent hooks; evaluates a pending tool call and exits 0 (allow) or 1 (block) |
+
+### `node9 doctor`
+
+Runs a full self-test and exits 1 if any required check fails:
+
+```
+Node9 Doctor  v1.2.0
+────────────────────────────────────────
+Binaries
+  ✅  Node.js v20.11.0
+  ✅  git version 2.43.0
+
+Configuration
+  ✅  ~/.node9/config.json found and valid
+  ✅  ~/.node9/credentials.json — cloud credentials found
+
+Agent Hooks
+  ✅  Claude Code — PreToolUse hook active
+  ⚠️  Gemini CLI — not configured (optional)
+  ⚠️  Cursor — not configured (optional)
+
+────────────────────────────────────────
+All checks passed ✅
+```
+
+### `node9 explain`
+
+Dry-runs the policy engine and prints exactly which rule (or waterfall tier) would block or allow a given tool call — useful for debugging your config:
+
+```bash
+node9 explain bash '{"command":"rm -rf /tmp/build"}'
+```
+
+```
+Policy Waterfall for: bash
+──────────────────────────────────────────────
+Tier 1 · Cloud Org Policy       SKIP  (no org policy loaded)
+Tier 2 · Dangerous Words        BLOCK ← matched "rm -rf"
+Tier 3 · Path Block             –
+Tier 4 · Inline Exec            –
+Tier 5 · Rule Match             –
+──────────────────────────────────────────────
+Verdict: BLOCK  (dangerous word: rm -rf)
+```
+
 ---
 
 ## 🔧 Troubleshooting
@@ -181,4 +382,4 @@ A corporate policy has locked this action. You must click the "Approve" button i
 ## 🏢 Enterprise & Compliance
 
 Node9 Pro provides **Governance Locking**, **SAML/SSO**, and **VPC Deployment**.
-Visit [node9.ai](https://node9.ai
+Visit [node9.ai](https://node9.ai)

package/dist/cli.js

@@ -344,6 +344,43 @@ function getNestedValue(obj, path6) {
   if (!obj || typeof obj !== "object") return null;
   return path6.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
+function evaluateSmartConditions(args, rule) {
+  if (!rule.conditions || rule.conditions.length === 0) return true;
+  const mode = rule.conditionMode ?? "all";
+  const results = rule.conditions.map((cond) => {
+    const rawVal = getNestedValue(args, cond.field);
+    const val = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
+    switch (cond.op) {
+      case "exists":
+        return val !== null && val !== "";
+      case "notExists":
+        return val === null || val === "";
+      case "contains":
+        return val !== null && cond.value ? val.includes(cond.value) : false;
+      case "notContains":
+        return val !== null && cond.value ? !val.includes(cond.value) : true;
+      case "matches": {
+        if (val === null || !cond.value) return false;
+        try {
+          return new RegExp(cond.value, cond.flags ?? "").test(val);
+        } catch {
+          return false;
+        }
+      }
+      case "notMatches": {
+        if (val === null || !cond.value) return true;
+        try {
+          return !new RegExp(cond.value, cond.flags ?? "").test(val);
+        } catch {
+          return true;
+        }
+      }
+      default:
+        return false;
+    }
+  });
+  return mode === "any" ? results.some((r) => r) : results.every((r) => r);
+}
 function extractShellCommand(toolName, args, toolInspection) {
   const patterns = Object.keys(toolInspection);
   const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
@@ -360,15 +397,6 @@ function isSqlTool(toolName, toolInspection) {
   return fieldName === "sql" || fieldName === "query";
 }
 var SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
-function checkDangerousSql(sql) {
-  const norm = sql.replace(/\s+/g, " ").trim().toLowerCase();
-  const hasWhere = /\bwhere\b/.test(norm);
-  if (/^delete\s+from\s+\S+/.test(norm) && !hasWhere)
-    return "DELETE without WHERE \u2014 full table wipe";
-  if (/^update\s+\S+\s+set\s+/.test(norm) && !hasWhere)
-    return "UPDATE without WHERE \u2014 updates every row";
-  return null;
-}
 async function analyzeShellCommand(command) {
   const actions = [];
   const paths = [];
@@ -468,6 +496,8 @@ var DEFAULT_CONFIG = {
     enableUndo: true,
     // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
     enableHookLogDebug: false,
+    approvalTimeoutMs: 0,
+    // 0 = disabled; set e.g. 30000 for 30-second auto-deny
     approvers: { native: true, browser: true, cloud: true, terminal: true }
   },
   policy: {
@@ -516,6 +546,19 @@ var DEFAULT_CONFIG = {
           ".DS_Store"
         ]
       }
+    ],
+    smartRules: [
+      {
+        name: "no-delete-without-where",
+        tool: "*",
+        conditions: [
+          { field: "sql", op: "matches", value: "^(DELETE|UPDATE)\\s", flags: "i" },
+          { field: "sql", op: "notMatches", value: "\\bWHERE\\b", flags: "i" }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table"
+      }
     ]
   },
   environments: {}
@@ -562,6 +605,19 @@ function getInternalToken() {
 async function evaluatePolicy(toolName, args, agent) {
   const config = getConfig();
   if (matchesPattern(toolName, config.policy.ignoredTools)) return { decision: "allow" };
+  if (config.policy.smartRules.length > 0) {
+    const matchedRule = config.policy.smartRules.find(
+      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+    );
+    if (matchedRule) {
+      if (matchedRule.verdict === "allow") return { decision: "allow" };
+      return {
+        decision: matchedRule.verdict,
+        blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
+        reason: matchedRule.reason
+      };
+    }
+  }
   let allTokens = [];
   let actionTokens = [];
   let pathTokens = [];
@@ -576,8 +632,6 @@ async function evaluatePolicy(toolName, args, agent) {
       return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)" };
     }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
-      const sqlDanger = checkDangerousSql(shellCommand);
-      if (sqlDanger) return { decision: "review", blockedByLabel: `SQL Safety: ${sqlDanger}` };
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
       actionTokens = actionTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
     }
@@ -707,6 +761,44 @@ async function explainPolicy(toolName, args) {
     outcome: "checked",
     detail: `"${toolName}" not in ignoredTools list`
   });
+  if (config.policy.smartRules.length > 0) {
+    const matchedRule = config.policy.smartRules.find(
+      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+    );
+    if (matchedRule) {
+      const label = `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`;
+      if (matchedRule.verdict === "allow") {
+        steps.push({
+          name: "Smart rules",
+          outcome: "allow",
+          detail: `${label} \u2192 allow`,
+          isFinal: true
+        });
+        return { tool: toolName, args, waterfall, steps, decision: "allow" };
+      }
+      steps.push({
+        name: "Smart rules",
+        outcome: matchedRule.verdict,
+        detail: `${label} \u2192 ${matchedRule.verdict}${matchedRule.reason ? `: ${matchedRule.reason}` : ""}`,
+        isFinal: true
+      });
+      return {
+        tool: toolName,
+        args,
+        waterfall,
+        steps,
+        decision: matchedRule.verdict,
+        blockedByLabel: label
+      };
+    }
+    steps.push({
+      name: "Smart rules",
+      outcome: "checked",
+      detail: `No smart rule matched "${toolName}"`
+    });
+  } else {
+    steps.push({ name: "Smart rules", outcome: "skip", detail: "No smart rules configured" });
+  }
   let allTokens = [];
   let actionTokens = [];
   let pathTokens = [];
@@ -747,29 +839,12 @@ async function explainPolicy(toolName, args) {
       detail: "No inline execution pattern detected"
     });
     if (isSqlTool(toolName, config.policy.toolInspection)) {
-      const sqlDanger = checkDangerousSql(shellCommand);
-      if (sqlDanger) {
-        steps.push({
-          name: "SQL safety",
-          outcome: "review",
-          detail: sqlDanger,
-          isFinal: true
-        });
-        return {
-          tool: toolName,
-          args,
-          waterfall,
-          steps,
-          decision: "review",
-          blockedByLabel: `SQL Safety: ${sqlDanger}`
-        };
-      }
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
       actionTokens = actionTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
       steps.push({
-        name: "SQL safety",
+        name: "SQL token stripping",
         outcome: "checked",
-        detail: "DELETE/UPDATE have a WHERE clause \u2014 scoped mutation, safe"
+        detail: "DML keywords stripped from tokens (SQL safety handled by smart rules)"
       });
     }
   } else {
@@ -1070,6 +1145,15 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
       return { approved: true, checkedBy: "local-policy" };
     }
+    if (policyResult.decision === "block") {
+      if (!isManual) appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta);
+      return {
+        approved: false,
+        reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
+        blockedBy: "local-config",
+        blockedByLabel: policyResult.blockedByLabel
+      };
+    }
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     const persistent = getPersistentDecision(toolName);
     if (persistent === "allow") {
@@ -1138,6 +1222,25 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   const abortController = new AbortController();
   const { signal } = abortController;
   const racePromises = [];
+  const approvalTimeoutMs = config.settings.approvalTimeoutMs ?? 0;
+  if (approvalTimeoutMs > 0) {
+    racePromises.push(
+      new Promise((resolve, reject) => {
+        const timer = setTimeout(() => {
+          resolve({
+            approved: false,
+            reason: `No human response within ${approvalTimeoutMs / 1e3}s \u2014 auto-denied by timeout policy.`,
+            blockedBy: "timeout",
+            blockedByLabel: "Approval Timeout"
+          });
+        }, approvalTimeoutMs);
+        signal.addEventListener("abort", () => {
+          clearTimeout(timer);
+          reject(new Error("Aborted"));
+        });
+      })
+    );
+  }
   let viewerId = null;
   const internalToken = getInternalToken();
   if (cloudEnforced && cloudRequestId) {
@@ -1338,7 +1441,8 @@ function getConfig() {
     dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
     ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
     toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
-    rules: [...DEFAULT_CONFIG.policy.rules]
+    rules: [...DEFAULT_CONFIG.policy.rules],
+    smartRules: [...DEFAULT_CONFIG.policy.smartRules]
   };
   const applyLayer = (source) => {
     if (!source) return;
@@ -1357,6 +1461,7 @@ function getConfig() {
     if (p.toolInspection)
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
     if (p.rules) mergedPolicy.rules.push(...p.rules);
+    if (p.smartRules) mergedPolicy.smartRules.push(...p.smartRules);
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
@@ -3861,6 +3966,74 @@ program.command("init").description("Create ~/.node9/config.json with default po
     import_chalk5.default.gray(`   Undo Engine is ENABLED by default. Use 'node9 undo' to revert AI changes.`)
   );
 });
+function formatRelativeTime(timestamp) {
+  const diff = Date.now() - new Date(timestamp).getTime();
+  const sec = Math.floor(diff / 1e3);
+  if (sec < 60) return `${sec}s ago`;
+  const min = Math.floor(sec / 60);
+  if (min < 60) return `${min}m ago`;
+  const hrs = Math.floor(min / 60);
+  if (hrs < 24) return `${hrs}h ago`;
+  return new Date(timestamp).toLocaleDateString();
+}
+program.command("audit").description("View local execution audit log").option("--tail <n>", "Number of entries to show", "20").option("--tool <pattern>", "Filter by tool name (substring match)").option("--deny", "Show only denied actions").option("--json", "Output raw JSON").action((options) => {
+  const logPath = import_path5.default.join(import_os5.default.homedir(), ".node9", "audit.log");
+  if (!import_fs5.default.existsSync(logPath)) {
+    console.log(
+      import_chalk5.default.yellow("No audit logs found. Run node9 with an agent to generate entries.")
+    );
+    return;
+  }
+  const raw = import_fs5.default.readFileSync(logPath, "utf-8");
+  const lines = raw.split("\n").filter((l) => l.trim() !== "");
+  let entries = lines.flatMap((line) => {
+    try {
+      return [JSON.parse(line)];
+    } catch {
+      return [];
+    }
+  });
+  entries = entries.map((e) => ({
+    ...e,
+    decision: String(e.decision).startsWith("allow") ? "allow" : "deny"
+  }));
+  if (options.tool) entries = entries.filter((e) => String(e.tool).includes(options.tool));
+  if (options.deny) entries = entries.filter((e) => e.decision === "deny");
+  const limit = Math.max(1, parseInt(options.tail, 10) || 20);
+  entries = entries.slice(-limit);
+  if (options.json) {
+    console.log(JSON.stringify(entries, null, 2));
+    return;
+  }
+  if (entries.length === 0) {
+    console.log(import_chalk5.default.yellow("No matching audit entries."));
+    return;
+  }
+  console.log(
+    `
+  ${import_chalk5.default.bold("Node9 Audit Log")}  ${import_chalk5.default.dim(`(${entries.length} entries)`)}`
+  );
+  console.log(import_chalk5.default.dim("  " + "\u2500".repeat(65)));
+  console.log(
+    `  ${"Time".padEnd(12)} ${"Tool".padEnd(18)} ${"Result".padEnd(10)} ${"By".padEnd(15)} Agent`
+  );
+  console.log(import_chalk5.default.dim("  " + "\u2500".repeat(65)));
+  for (const e of entries) {
+    const time = formatRelativeTime(String(e.ts)).padEnd(12);
+    const tool = String(e.tool).slice(0, 17).padEnd(18);
+    const result = e.decision === "allow" ? import_chalk5.default.green("ALLOW".padEnd(10)) : import_chalk5.default.red("DENY".padEnd(10));
+    const checker = String(e.checkedBy || "unknown").slice(0, 14).padEnd(15);
+    const agent = String(e.agent || "unknown");
+    console.log(`  ${time} ${tool} ${result} ${checker} ${agent}`);
+  }
+  const allowed = entries.filter((e) => e.decision === "allow").length;
+  const denied = entries.filter((e) => e.decision === "deny").length;
+  console.log(import_chalk5.default.dim("  " + "\u2500".repeat(65)));
+  console.log(
+    `  ${entries.length} entries  |  ${import_chalk5.default.green(allowed + " allowed")}  |  ${import_chalk5.default.red(denied + " denied")}
+`
+  );
+});
 program.command("status").description("Show current Node9 mode, policy source, and persistent decisions").action(() => {
   const creds = getCredentials();
   const daemonRunning = isDaemonRunning();

package/dist/cli.mjs

@@ -321,6 +321,43 @@ function getNestedValue(obj, path6) {
   if (!obj || typeof obj !== "object") return null;
   return path6.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
+function evaluateSmartConditions(args, rule) {
+  if (!rule.conditions || rule.conditions.length === 0) return true;
+  const mode = rule.conditionMode ?? "all";
+  const results = rule.conditions.map((cond) => {
+    const rawVal = getNestedValue(args, cond.field);
+    const val = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
+    switch (cond.op) {
+      case "exists":
+        return val !== null && val !== "";
+      case "notExists":
+        return val === null || val === "";
+      case "contains":
+        return val !== null && cond.value ? val.includes(cond.value) : false;
+      case "notContains":
+        return val !== null && cond.value ? !val.includes(cond.value) : true;
+      case "matches": {
+        if (val === null || !cond.value) return false;
+        try {
+          return new RegExp(cond.value, cond.flags ?? "").test(val);
+        } catch {
+          return false;
+        }
+      }
+      case "notMatches": {
+        if (val === null || !cond.value) return true;
+        try {
+          return !new RegExp(cond.value, cond.flags ?? "").test(val);
+        } catch {
+          return true;
+        }
+      }
+      default:
+        return false;
+    }
+  });
+  return mode === "any" ? results.some((r) => r) : results.every((r) => r);
+}
 function extractShellCommand(toolName, args, toolInspection) {
   const patterns = Object.keys(toolInspection);
   const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
@@ -337,15 +374,6 @@ function isSqlTool(toolName, toolInspection) {
   return fieldName === "sql" || fieldName === "query";
 }
 var SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
-function checkDangerousSql(sql) {
-  const norm = sql.replace(/\s+/g, " ").trim().toLowerCase();
-  const hasWhere = /\bwhere\b/.test(norm);
-  if (/^delete\s+from\s+\S+/.test(norm) && !hasWhere)
-    return "DELETE without WHERE \u2014 full table wipe";
-  if (/^update\s+\S+\s+set\s+/.test(norm) && !hasWhere)
-    return "UPDATE without WHERE \u2014 updates every row";
-  return null;
-}
 async function analyzeShellCommand(command) {
   const actions = [];
   const paths = [];
@@ -445,6 +473,8 @@ var DEFAULT_CONFIG = {
     enableUndo: true,
     // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
     enableHookLogDebug: false,
+    approvalTimeoutMs: 0,
+    // 0 = disabled; set e.g. 30000 for 30-second auto-deny
     approvers: { native: true, browser: true, cloud: true, terminal: true }
   },
   policy: {
@@ -493,6 +523,19 @@ var DEFAULT_CONFIG = {
           ".DS_Store"
         ]
       }
+    ],
+    smartRules: [
+      {
+        name: "no-delete-without-where",
+        tool: "*",
+        conditions: [
+          { field: "sql", op: "matches", value: "^(DELETE|UPDATE)\\s", flags: "i" },
+          { field: "sql", op: "notMatches", value: "\\bWHERE\\b", flags: "i" }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table"
+      }
     ]
   },
   environments: {}
@@ -539,6 +582,19 @@ function getInternalToken() {
 async function evaluatePolicy(toolName, args, agent) {
   const config = getConfig();
   if (matchesPattern(toolName, config.policy.ignoredTools)) return { decision: "allow" };
+  if (config.policy.smartRules.length > 0) {
+    const matchedRule = config.policy.smartRules.find(
+      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+    );
+    if (matchedRule) {
+      if (matchedRule.verdict === "allow") return { decision: "allow" };
+      return {
+        decision: matchedRule.verdict,
+        blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
+        reason: matchedRule.reason
+      };
+    }
+  }
   let allTokens = [];
   let actionTokens = [];
   let pathTokens = [];
@@ -553,8 +609,6 @@ async function evaluatePolicy(toolName, args, agent) {
       return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)" };
     }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
-      const sqlDanger = checkDangerousSql(shellCommand);
-      if (sqlDanger) return { decision: "review", blockedByLabel: `SQL Safety: ${sqlDanger}` };
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
       actionTokens = actionTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
     }
@@ -684,6 +738,44 @@ async function explainPolicy(toolName, args) {
     outcome: "checked",
     detail: `"${toolName}" not in ignoredTools list`
   });
+  if (config.policy.smartRules.length > 0) {
+    const matchedRule = config.policy.smartRules.find(
+      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+    );
+    if (matchedRule) {
+      const label = `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`;
+      if (matchedRule.verdict === "allow") {
+        steps.push({
+          name: "Smart rules",
+          outcome: "allow",
+          detail: `${label} \u2192 allow`,
+          isFinal: true
+        });
+        return { tool: toolName, args, waterfall, steps, decision: "allow" };
+      }
+      steps.push({
+        name: "Smart rules",
+        outcome: matchedRule.verdict,
+        detail: `${label} \u2192 ${matchedRule.verdict}${matchedRule.reason ? `: ${matchedRule.reason}` : ""}`,
+        isFinal: true
+      });
+      return {
+        tool: toolName,
+        args,
+        waterfall,
+        steps,
+        decision: matchedRule.verdict,
+        blockedByLabel: label
+      };
+    }
+    steps.push({
+      name: "Smart rules",
+      outcome: "checked",
+      detail: `No smart rule matched "${toolName}"`
+    });
+  } else {
+    steps.push({ name: "Smart rules", outcome: "skip", detail: "No smart rules configured" });
+  }
   let allTokens = [];
   let actionTokens = [];
   let pathTokens = [];
@@ -724,29 +816,12 @@ async function explainPolicy(toolName, args) {
       detail: "No inline execution pattern detected"
     });
     if (isSqlTool(toolName, config.policy.toolInspection)) {
-      const sqlDanger = checkDangerousSql(shellCommand);
-      if (sqlDanger) {
-        steps.push({
-          name: "SQL safety",
-          outcome: "review",
-          detail: sqlDanger,
-          isFinal: true
-        });
-        return {
-          tool: toolName,
-          args,
-          waterfall,
-          steps,
-          decision: "review",
-          blockedByLabel: `SQL Safety: ${sqlDanger}`
-        };
-      }
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
       actionTokens = actionTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
       steps.push({
-        name: "SQL safety",
+        name: "SQL token stripping",
         outcome: "checked",
-        detail: "DELETE/UPDATE have a WHERE clause \u2014 scoped mutation, safe"
+        detail: "DML keywords stripped from tokens (SQL safety handled by smart rules)"
       });
     }
   } else {
@@ -1047,6 +1122,15 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
       return { approved: true, checkedBy: "local-policy" };
     }
+    if (policyResult.decision === "block") {
+      if (!isManual) appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta);
+      return {
+        approved: false,
+        reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
+        blockedBy: "local-config",
+        blockedByLabel: policyResult.blockedByLabel
+      };
+    }
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     const persistent = getPersistentDecision(toolName);
     if (persistent === "allow") {
@@ -1115,6 +1199,25 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   const abortController = new AbortController();
   const { signal } = abortController;
   const racePromises = [];
+  const approvalTimeoutMs = config.settings.approvalTimeoutMs ?? 0;
+  if (approvalTimeoutMs > 0) {
+    racePromises.push(
+      new Promise((resolve, reject) => {
+        const timer = setTimeout(() => {
+          resolve({
+            approved: false,
+            reason: `No human response within ${approvalTimeoutMs / 1e3}s \u2014 auto-denied by timeout policy.`,
+            blockedBy: "timeout",
+            blockedByLabel: "Approval Timeout"
+          });
+        }, approvalTimeoutMs);
+        signal.addEventListener("abort", () => {
+          clearTimeout(timer);
+          reject(new Error("Aborted"));
+        });
+      })
+    );
+  }
   let viewerId = null;
   const internalToken = getInternalToken();
   if (cloudEnforced && cloudRequestId) {
@@ -1315,7 +1418,8 @@ function getConfig() {
     dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
     ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
     toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
-    rules: [...DEFAULT_CONFIG.policy.rules]
+    rules: [...DEFAULT_CONFIG.policy.rules],
+    smartRules: [...DEFAULT_CONFIG.policy.smartRules]
   };
   const applyLayer = (source) => {
     if (!source) return;
@@ -1334,6 +1438,7 @@ function getConfig() {
     if (p.toolInspection)
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
     if (p.rules) mergedPolicy.rules.push(...p.rules);
+    if (p.smartRules) mergedPolicy.smartRules.push(...p.smartRules);
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
@@ -3838,6 +3943,74 @@ program.command("init").description("Create ~/.node9/config.json with default po
     chalk5.gray(`   Undo Engine is ENABLED by default. Use 'node9 undo' to revert AI changes.`)
   );
 });
+function formatRelativeTime(timestamp) {
+  const diff = Date.now() - new Date(timestamp).getTime();
+  const sec = Math.floor(diff / 1e3);
+  if (sec < 60) return `${sec}s ago`;
+  const min = Math.floor(sec / 60);
+  if (min < 60) return `${min}m ago`;
+  const hrs = Math.floor(min / 60);
+  if (hrs < 24) return `${hrs}h ago`;
+  return new Date(timestamp).toLocaleDateString();
+}
+program.command("audit").description("View local execution audit log").option("--tail <n>", "Number of entries to show", "20").option("--tool <pattern>", "Filter by tool name (substring match)").option("--deny", "Show only denied actions").option("--json", "Output raw JSON").action((options) => {
+  const logPath = path5.join(os5.homedir(), ".node9", "audit.log");
+  if (!fs5.existsSync(logPath)) {
+    console.log(
+      chalk5.yellow("No audit logs found. Run node9 with an agent to generate entries.")
+    );
+    return;
+  }
+  const raw = fs5.readFileSync(logPath, "utf-8");
+  const lines = raw.split("\n").filter((l) => l.trim() !== "");
+  let entries = lines.flatMap((line) => {
+    try {
+      return [JSON.parse(line)];
+    } catch {
+      return [];
+    }
+  });
+  entries = entries.map((e) => ({
+    ...e,
+    decision: String(e.decision).startsWith("allow") ? "allow" : "deny"
+  }));
+  if (options.tool) entries = entries.filter((e) => String(e.tool).includes(options.tool));
+  if (options.deny) entries = entries.filter((e) => e.decision === "deny");
+  const limit = Math.max(1, parseInt(options.tail, 10) || 20);
+  entries = entries.slice(-limit);
+  if (options.json) {
+    console.log(JSON.stringify(entries, null, 2));
+    return;
+  }
+  if (entries.length === 0) {
+    console.log(chalk5.yellow("No matching audit entries."));
+    return;
+  }
+  console.log(
+    `
+  ${chalk5.bold("Node9 Audit Log")}  ${chalk5.dim(`(${entries.length} entries)`)}`
+  );
+  console.log(chalk5.dim("  " + "\u2500".repeat(65)));
+  console.log(
+    `  ${"Time".padEnd(12)} ${"Tool".padEnd(18)} ${"Result".padEnd(10)} ${"By".padEnd(15)} Agent`
+  );
+  console.log(chalk5.dim("  " + "\u2500".repeat(65)));
+  for (const e of entries) {
+    const time = formatRelativeTime(String(e.ts)).padEnd(12);
+    const tool = String(e.tool).slice(0, 17).padEnd(18);
+    const result = e.decision === "allow" ? chalk5.green("ALLOW".padEnd(10)) : chalk5.red("DENY".padEnd(10));
+    const checker = String(e.checkedBy || "unknown").slice(0, 14).padEnd(15);
+    const agent = String(e.agent || "unknown");
+    console.log(`  ${time} ${tool} ${result} ${checker} ${agent}`);
+  }
+  const allowed = entries.filter((e) => e.decision === "allow").length;
+  const denied = entries.filter((e) => e.decision === "deny").length;
+  console.log(chalk5.dim("  " + "\u2500".repeat(65)));
+  console.log(
+    `  ${entries.length} entries  |  ${chalk5.green(allowed + " allowed")}  |  ${chalk5.red(denied + " denied")}
+`
+  );
+});
 program.command("status").description("Show current Node9 mode, policy source, and persistent decisions").action(() => {
   const creds = getCredentials();
   const daemonRunning = isDaemonRunning();

package/dist/index.js

@@ -342,6 +342,43 @@ function getNestedValue(obj, path2) {
   if (!obj || typeof obj !== "object") return null;
   return path2.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
+function evaluateSmartConditions(args, rule) {
+  if (!rule.conditions || rule.conditions.length === 0) return true;
+  const mode = rule.conditionMode ?? "all";
+  const results = rule.conditions.map((cond) => {
+    const rawVal = getNestedValue(args, cond.field);
+    const val = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
+    switch (cond.op) {
+      case "exists":
+        return val !== null && val !== "";
+      case "notExists":
+        return val === null || val === "";
+      case "contains":
+        return val !== null && cond.value ? val.includes(cond.value) : false;
+      case "notContains":
+        return val !== null && cond.value ? !val.includes(cond.value) : true;
+      case "matches": {
+        if (val === null || !cond.value) return false;
+        try {
+          return new RegExp(cond.value, cond.flags ?? "").test(val);
+        } catch {
+          return false;
+        }
+      }
+      case "notMatches": {
+        if (val === null || !cond.value) return true;
+        try {
+          return !new RegExp(cond.value, cond.flags ?? "").test(val);
+        } catch {
+          return true;
+        }
+      }
+      default:
+        return false;
+    }
+  });
+  return mode === "any" ? results.some((r) => r) : results.every((r) => r);
+}
 function extractShellCommand(toolName, args, toolInspection) {
   const patterns = Object.keys(toolInspection);
   const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
@@ -358,15 +395,6 @@ function isSqlTool(toolName, toolInspection) {
   return fieldName === "sql" || fieldName === "query";
 }
 var SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
-function checkDangerousSql(sql) {
-  const norm = sql.replace(/\s+/g, " ").trim().toLowerCase();
-  const hasWhere = /\bwhere\b/.test(norm);
-  if (/^delete\s+from\s+\S+/.test(norm) && !hasWhere)
-    return "DELETE without WHERE \u2014 full table wipe";
-  if (/^update\s+\S+\s+set\s+/.test(norm) && !hasWhere)
-    return "UPDATE without WHERE \u2014 updates every row";
-  return null;
-}
 async function analyzeShellCommand(command) {
   const actions = [];
   const paths = [];
@@ -466,6 +494,8 @@ var DEFAULT_CONFIG = {
     enableUndo: true,
     // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
     enableHookLogDebug: false,
+    approvalTimeoutMs: 0,
+    // 0 = disabled; set e.g. 30000 for 30-second auto-deny
     approvers: { native: true, browser: true, cloud: true, terminal: true }
   },
   policy: {
@@ -514,6 +544,19 @@ var DEFAULT_CONFIG = {
           ".DS_Store"
         ]
       }
+    ],
+    smartRules: [
+      {
+        name: "no-delete-without-where",
+        tool: "*",
+        conditions: [
+          { field: "sql", op: "matches", value: "^(DELETE|UPDATE)\\s", flags: "i" },
+          { field: "sql", op: "notMatches", value: "\\bWHERE\\b", flags: "i" }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table"
+      }
     ]
   },
   environments: {}
@@ -533,6 +576,19 @@ function getInternalToken() {
 async function evaluatePolicy(toolName, args, agent) {
   const config = getConfig();
   if (matchesPattern(toolName, config.policy.ignoredTools)) return { decision: "allow" };
+  if (config.policy.smartRules.length > 0) {
+    const matchedRule = config.policy.smartRules.find(
+      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+    );
+    if (matchedRule) {
+      if (matchedRule.verdict === "allow") return { decision: "allow" };
+      return {
+        decision: matchedRule.verdict,
+        blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
+        reason: matchedRule.reason
+      };
+    }
+  }
   let allTokens = [];
   let actionTokens = [];
   let pathTokens = [];
@@ -547,8 +603,6 @@ async function evaluatePolicy(toolName, args, agent) {
       return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)" };
     }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
-      const sqlDanger = checkDangerousSql(shellCommand);
-      if (sqlDanger) return { decision: "review", blockedByLabel: `SQL Safety: ${sqlDanger}` };
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
       actionTokens = actionTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
     }
@@ -762,6 +816,15 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
       return { approved: true, checkedBy: "local-policy" };
     }
+    if (policyResult.decision === "block") {
+      if (!isManual) appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta);
+      return {
+        approved: false,
+        reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
+        blockedBy: "local-config",
+        blockedByLabel: policyResult.blockedByLabel
+      };
+    }
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     const persistent = getPersistentDecision(toolName);
     if (persistent === "allow") {
@@ -830,6 +893,25 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   const abortController = new AbortController();
   const { signal } = abortController;
   const racePromises = [];
+  const approvalTimeoutMs = config.settings.approvalTimeoutMs ?? 0;
+  if (approvalTimeoutMs > 0) {
+    racePromises.push(
+      new Promise((resolve, reject) => {
+        const timer = setTimeout(() => {
+          resolve({
+            approved: false,
+            reason: `No human response within ${approvalTimeoutMs / 1e3}s \u2014 auto-denied by timeout policy.`,
+            blockedBy: "timeout",
+            blockedByLabel: "Approval Timeout"
+          });
+        }, approvalTimeoutMs);
+        signal.addEventListener("abort", () => {
+          clearTimeout(timer);
+          reject(new Error("Aborted"));
+        });
+      })
+    );
+  }
   let viewerId = null;
   const internalToken = getInternalToken();
   if (cloudEnforced && cloudRequestId) {
@@ -1030,7 +1112,8 @@ function getConfig() {
     dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
     ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
     toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
-    rules: [...DEFAULT_CONFIG.policy.rules]
+    rules: [...DEFAULT_CONFIG.policy.rules],
+    smartRules: [...DEFAULT_CONFIG.policy.smartRules]
   };
   const applyLayer = (source) => {
     if (!source) return;
@@ -1049,6 +1132,7 @@ function getConfig() {
     if (p.toolInspection)
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
     if (p.rules) mergedPolicy.rules.push(...p.rules);
+    if (p.smartRules) mergedPolicy.smartRules.push(...p.smartRules);
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);

package/dist/index.mjs

@@ -306,6 +306,43 @@ function getNestedValue(obj, path2) {
   if (!obj || typeof obj !== "object") return null;
   return path2.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
+function evaluateSmartConditions(args, rule) {
+  if (!rule.conditions || rule.conditions.length === 0) return true;
+  const mode = rule.conditionMode ?? "all";
+  const results = rule.conditions.map((cond) => {
+    const rawVal = getNestedValue(args, cond.field);
+    const val = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
+    switch (cond.op) {
+      case "exists":
+        return val !== null && val !== "";
+      case "notExists":
+        return val === null || val === "";
+      case "contains":
+        return val !== null && cond.value ? val.includes(cond.value) : false;
+      case "notContains":
+        return val !== null && cond.value ? !val.includes(cond.value) : true;
+      case "matches": {
+        if (val === null || !cond.value) return false;
+        try {
+          return new RegExp(cond.value, cond.flags ?? "").test(val);
+        } catch {
+          return false;
+        }
+      }
+      case "notMatches": {
+        if (val === null || !cond.value) return true;
+        try {
+          return !new RegExp(cond.value, cond.flags ?? "").test(val);
+        } catch {
+          return true;
+        }
+      }
+      default:
+        return false;
+    }
+  });
+  return mode === "any" ? results.some((r) => r) : results.every((r) => r);
+}
 function extractShellCommand(toolName, args, toolInspection) {
   const patterns = Object.keys(toolInspection);
   const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
@@ -322,15 +359,6 @@ function isSqlTool(toolName, toolInspection) {
   return fieldName === "sql" || fieldName === "query";
 }
 var SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
-function checkDangerousSql(sql) {
-  const norm = sql.replace(/\s+/g, " ").trim().toLowerCase();
-  const hasWhere = /\bwhere\b/.test(norm);
-  if (/^delete\s+from\s+\S+/.test(norm) && !hasWhere)
-    return "DELETE without WHERE \u2014 full table wipe";
-  if (/^update\s+\S+\s+set\s+/.test(norm) && !hasWhere)
-    return "UPDATE without WHERE \u2014 updates every row";
-  return null;
-}
 async function analyzeShellCommand(command) {
   const actions = [];
   const paths = [];
@@ -430,6 +458,8 @@ var DEFAULT_CONFIG = {
     enableUndo: true,
     // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
     enableHookLogDebug: false,
+    approvalTimeoutMs: 0,
+    // 0 = disabled; set e.g. 30000 for 30-second auto-deny
     approvers: { native: true, browser: true, cloud: true, terminal: true }
   },
   policy: {
@@ -478,6 +508,19 @@ var DEFAULT_CONFIG = {
           ".DS_Store"
         ]
       }
+    ],
+    smartRules: [
+      {
+        name: "no-delete-without-where",
+        tool: "*",
+        conditions: [
+          { field: "sql", op: "matches", value: "^(DELETE|UPDATE)\\s", flags: "i" },
+          { field: "sql", op: "notMatches", value: "\\bWHERE\\b", flags: "i" }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table"
+      }
     ]
   },
   environments: {}
@@ -497,6 +540,19 @@ function getInternalToken() {
 async function evaluatePolicy(toolName, args, agent) {
   const config = getConfig();
   if (matchesPattern(toolName, config.policy.ignoredTools)) return { decision: "allow" };
+  if (config.policy.smartRules.length > 0) {
+    const matchedRule = config.policy.smartRules.find(
+      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+    );
+    if (matchedRule) {
+      if (matchedRule.verdict === "allow") return { decision: "allow" };
+      return {
+        decision: matchedRule.verdict,
+        blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
+        reason: matchedRule.reason
+      };
+    }
+  }
   let allTokens = [];
   let actionTokens = [];
   let pathTokens = [];
@@ -511,8 +567,6 @@ async function evaluatePolicy(toolName, args, agent) {
       return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)" };
     }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
-      const sqlDanger = checkDangerousSql(shellCommand);
-      if (sqlDanger) return { decision: "review", blockedByLabel: `SQL Safety: ${sqlDanger}` };
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
       actionTokens = actionTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
     }
@@ -726,6 +780,15 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
       return { approved: true, checkedBy: "local-policy" };
     }
+    if (policyResult.decision === "block") {
+      if (!isManual) appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta);
+      return {
+        approved: false,
+        reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
+        blockedBy: "local-config",
+        blockedByLabel: policyResult.blockedByLabel
+      };
+    }
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     const persistent = getPersistentDecision(toolName);
     if (persistent === "allow") {
@@ -794,6 +857,25 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   const abortController = new AbortController();
   const { signal } = abortController;
   const racePromises = [];
+  const approvalTimeoutMs = config.settings.approvalTimeoutMs ?? 0;
+  if (approvalTimeoutMs > 0) {
+    racePromises.push(
+      new Promise((resolve, reject) => {
+        const timer = setTimeout(() => {
+          resolve({
+            approved: false,
+            reason: `No human response within ${approvalTimeoutMs / 1e3}s \u2014 auto-denied by timeout policy.`,
+            blockedBy: "timeout",
+            blockedByLabel: "Approval Timeout"
+          });
+        }, approvalTimeoutMs);
+        signal.addEventListener("abort", () => {
+          clearTimeout(timer);
+          reject(new Error("Aborted"));
+        });
+      })
+    );
+  }
   let viewerId = null;
   const internalToken = getInternalToken();
   if (cloudEnforced && cloudRequestId) {
@@ -994,7 +1076,8 @@ function getConfig() {
     dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
     ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
     toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
-    rules: [...DEFAULT_CONFIG.policy.rules]
+    rules: [...DEFAULT_CONFIG.policy.rules],
+    smartRules: [...DEFAULT_CONFIG.policy.smartRules]
   };
   const applyLayer = (source) => {
     if (!source) return;
@@ -1013,6 +1096,7 @@ function getConfig() {
     if (p.toolInspection)
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
     if (p.rules) mergedPolicy.rules.push(...p.rules);
+    if (p.smartRules) mergedPolicy.smartRules.push(...p.smartRules);
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",